WikiLeaks Revealed Another CIA Cyber Weapons called “BothanSpy” and “Gyrfalcon” steals the SSH Credentials from both Windows and Linux Platform and both tools are performing in Different OS Platform and Different Attack vector.

SSH (Secure Shell) Protocol is used for Communicate Network services securely from unsecured channel Especially for user Perform Remote Login and The standard TCP port 22 has been assigned for contacting SSH servers.

This Tool has some advance functions that can not only steal user credentials of active SSH sessions but is also capable of collecting full or partial OpenSSH session traffic.

BothanSpy – Steals SSH Credentials from Windows

BothanSpy Only Targeting Windows Platform and Steals user credentials for all active SSH sessions and SSH client program Xshell.

According to CIA Document, BothanSpy will exfiltrate the stolen credentials through the Fire and Collect (F&C) channel and out to disk on the attacker-side.

Since BothanSpy Using F&C Channel, its never touches the Disk and it Writes Stolen Credentials to Disk that encrypted with AES.

BothanSpy.dll requires no configuration before it can be used and To setup the attack box touse F&C, copy the ice_handler.py script to the attack machine, and open a shell at this location.

Xshell should Run on the Targeting Windows Machine for BothanSpy perform itssuccessful Attack and it has active sessions, Otherwise, Xshell is not storing credential information in the location BothanSpy will search.

To Steal the Targets Credentials from all running Xshell processes that have active SSH ,CIA Used Following Command

BothanSpy Much concern with Xshell versions and it failed to steal the credentials from some of the version (Xshell version 2 build 0910).

Important Consideration of BothanSpy is, it will not perform version checking at any stage.

Gyrfalcon – Steals SSH Credentials from Linux

According to the CIA Document, Gyrfalcon is an SSH session “sharing” tool operates on outbound OpenSSH sessions from the target host which is Capable of log SSH sessions including Login credentials.

By Executing the command, a legitimate user on the remote host can able to access the logged credentials.

“It is configured in advance, executed on the remote host and left running. Sometime later, the operator returns and commands gyrfalcon to flush all of its collection to disk. The operator retrieves the collection file, decrypts it, and analyzes the collected data”

Based on the Configuration with a list of target IP address/netmask combinations, this tool has the ability to track multiple outbound SSH sessions.

To Execute the Process, by added “a” Command and the Following information, operator promote into initiate the attack.

Specify an IPv4 or IPv6 address/netmask:

Specify Collection Behavior

Specify the path to executable file.

DocumentIntimate that, Gyrfalcon writes to a collection file in its working directory. The filename was specified in the config file. Gyrfalcon continues to stream data to this file during the course of its normal operation.

The operator must signal gyrfalcon to flush its collection buffers before the data can be collected.

All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed rootkit (JQC/KitV) on the target machine.

GBHackers on security is a Cyber Security platform that covers daily Cyber Security News, Hacking News, Technology updates and Kali Linux tutorials. Our mission is to keep the community up to date with happenings in the Cyber World.